Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

OSPF over PIX w/ 6.2

Ok 6.3 code is out of the question for this example. I am looking for any solutions for 6.2 code only. Thanks in advance!

Here is the setup:

(in)r1--->area 1 |PIX| area 1 ---->(out)r2--->s0/0--area 0

r1 is in AS 1 , r2 is in AS 2 and has area 0 off of s0/0 interface. r1 also has area 2 off of s0/0 interface. I am looking for examples on how to run OSPF from r1 to r2 with r1 being in area 2 and r2 being in area 0 without using a GRE tunnel. I could redistribute OSPF thru BGP but would this be the best/only solution..? Any suggestions would be great.

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: OSPF over PIX w/ 6.2

Jeff,

In the solution I implemented BGP was the only routing protocol passed through the firewall. Initially I tried to set the PIX up to allow traffic through thinking I could use the OSPF neighbour feature so the routers could see each other. This failed, as that feature also uses multicast traffic, which the PIX drops.

So in the end I redistributed OSPF into BGP, tunneled the routing information through the firewall and redistributed back into OSPF.

I didnt try using a virtual link, but as OSPF relies heavily on multicast traffic I'm sure such a link would fail also.

Virtual links are often described as `tunnels' but that is intended to promote understanding of the concept, they only operate within contiguous OSPF networks.

6.3 sounding attractive yet??

4 REPLIES
Silver

Re: OSPF over PIX w/ 6.2

I had exactly the same application also based on pix 6.2. I ended up using BGP through the firewall, as that was the only solution that offered the route filtering as well. The customer considerd the GRE as a bit too risky for his security application, so BGP it was.

Then when 6.3 came along life got a bit easier.

New Member

Re: OSPF over PIX w/ 6.2

Thanks for your reply! To follow up.. How were you able to apply a virtual-link to either side?

And lets say "all" options are open is there any other way that you know of to allow OSPF thru the PIX in with this setup?

thanks- Jeff

Silver

Re: OSPF over PIX w/ 6.2

Jeff,

In the solution I implemented BGP was the only routing protocol passed through the firewall. Initially I tried to set the PIX up to allow traffic through thinking I could use the OSPF neighbour feature so the routers could see each other. This failed, as that feature also uses multicast traffic, which the PIX drops.

So in the end I redistributed OSPF into BGP, tunneled the routing information through the firewall and redistributed back into OSPF.

I didnt try using a virtual link, but as OSPF relies heavily on multicast traffic I'm sure such a link would fail also.

Virtual links are often described as `tunnels' but that is intended to promote understanding of the concept, they only operate within contiguous OSPF networks.

6.3 sounding attractive yet??

New Member

Re: OSPF over PIX w/ 6.2

thanks for the feedback!

114
Views
0
Helpful
4
Replies
CreatePlease to create content